Computing systems, such as desktop or portable devices, are vulnerable to attacks from viruses, worms, ransomware or other forms of malware. Data stored in a memory of a computing system may be subject to various types of undesired modification (e.g., encryption) if targeted by one of these attacks. Since software is typically modified only during a system installation or a software upgrade, protections are sometimes put in place to eliminate the threat to software stored in system memory during these operations. For example, a protected region, known as an “enclave”, within the software's address space. System hardware/firmware provides confidentiality and integrity for data and/or operations in an enclave, even from privileged malware attacks. For example, through cryptography and hardware isolation of memory associated with the enclave. However, file system data is often generated locally by users and routinely modified thereafter. This makes such file system data especially vulnerable to infection via a malware attack. For example, malware may infect a file system as a result of being downloaded to a computer through sites offering free software, file sharing sites and/or legitimate sites that have been hacked. In other words, the users download and run malicious programs voluntarily, thinking that legitimate software is being installed on their devices.
Ransomware refers to malicious processes or programs that block or otherwise interfere with a user's interaction with the operating system or the file system (which normally includes most of a user's data) of a computing device, such as a desktop computer, a smartphone, a tablet or other such devices. These malicious processes or programs may then demand (e.g., in a message shown on a display) a transfer of funds to the distributers of the offending process or program in exchange for restoration of the functionality of the computing device's operating system or the file system including the user's data. An example sequence of events during a ransomware attack is as follows. Once admitted into the system (e.g., downloaded by a user) the malicious program may block the user's interaction with the data in the file system by encrypting the files so that the user cannot read the files). The malicious program then displays, e.g., on all graphical user interfaces, a message that the data in the file system has been encrypted together with instructions for decrypting it. In the instructions, there is usually a demand for payment that must be provided before an encryption key needed to unlock the computing device may be provided to the user.
Some users may try to protect themselves by constantly backing-up their data. However, most data backup solutions are designed with a disaster recover use case in mind. Whether the data is backed-up in offsite servers or in cloud-based storage services, there is no consideration given to whether the backed-up data is clean and may be safely restored at any time. Therefore, the ransomware attack may easily infect the backup data by repeatedly encrypting the file system data and triggering a back-up of the data, this may easily lead to the point where all the versions of the data in the back-up are encrypted as well.